UPDATE — SEPTEMBER 2025:
The EDPB’s public consultation on Guidelines 02/2024 (Article 48 GDPR) closed on 27 January 2025, and the Board has since been revising the text. Plenary readouts in May signaled edits based on heavy feedback from financial services, cloud providers, research bodies, and NGOs—especially clarifying the interplay between Article 6 legal bases and Chapter V transfer rules, how to handle direct demands from third-country authorities absent an MLAT or equivalent, the narrow use of Article 49 derogations, and documentation for emergency or national-security-framed requests. A final version is expected in late 2025.
ORIGINAL NEWS STORY:
EDPB Opens Public Consultation on Article 48 GDPR Guidelines
The European Data Protection Board (EDPB) has opened a public consultation on its newly adopted Guidelines 02/2024 on Article 48 of the General Data Protection Regulation (GDPR). The consultation runs until January 27, 2025, and invites feedback from organizations, researchers, and civil society.
The guidelines were adopted on December 2, 2024. They clarify how EU data protection law applies when non-EU authorities request access to personal data held by entities in the European Union.
What Article 48 GDPR Covers
Article 48 addresses requests from third-country courts or public authorities that seek personal data located in the EU. The GDPR allows recognition or enforcement of such requests only when they rely on an international agreement, such as a mutual legal assistance treaty, or when another GDPR-compliant legal basis applies.
The provision aims to protect EU data sovereignty. It prevents foreign authorities from bypassing EU data protection safeguards through unilateral demands.
How Organizations Should Handle Foreign Data Requests
The guidelines explain how EU-based controllers and processors should respond when they receive direct requests from third-country authorities. The EDPB stresses that organizations must meet two legal requirements at the same time.
First, processing must have a valid legal basis under Article 6 GDPR. Second, any disclosure or transfer must comply with Chapter V of the GDPR, which governs international data transfers.
The EDPB makes clear that meeting one requirement does not excuse failure to meet the other.
Legal Bases and Transfer Mechanisms
Where an international agreement exists, organizations may rely on Article 6(1)(c) or 6(1)(e) GDPR. The agreement may also support a lawful transfer mechanism under Chapter V.
When no such agreement applies, organizations must assess alternative options. These may include specific and narrow derogations under Article 49 GDPR. The guidelines caution that derogations should remain exceptional and case-specific.
Safeguards and Risk Assessment
The EDPB encourages organizations to conduct careful assessments before responding to third-country requests. Controllers and processors should evaluate necessity, proportionality, and the impact on data subject rights.
The guidelines also highlight the need to consider national procedural laws and other applicable legal obligations. Proper documentation plays a key role in demonstrating compliance.
Protecting Against Extraterritorial Overreach
The EDPB reiterates that Article 48 protects against the extraterritorial application of non-EU laws that conflict with GDPR standards. The provision ensures that international data access does not weaken privacy rights guaranteed under EU law.
By clarifying these obligations, the EDPB aims to give organizations practical guidance while reinforcing the GDPR’s core principles.
How to Participate in the Consultation
Stakeholders may submit comments through the EDPB’s online consultation form until January 27, 2025. The EDPB may publish submissions on its website after review.
The full guidelines and submission details are available through the EDPB’s official channels.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
